-
Notifications
You must be signed in to change notification settings - Fork 45
/
Copy pathtrivy.groovy
80 lines (76 loc) · 2.95 KB
/
trivy.groovy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
//
// Author: Hari Sekhon
// Date: 2022-01-06 17:19:11 +0000 (Thu, 06 Jan 2022)
//
// vim:ts=2:sts=2:sw=2:et
//
// https://github.com/HariSekhon/Jenkins
//
// License: see accompanying Hari Sekhon LICENSE file
//
// If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
//
// https://www.linkedin.com/in/HariSekhon
//
// ========================================================================== //
// T r i v y
// ========================================================================== //
// Trivy security scanner
// Usage:
//
// If you're running on a Jenkins agent that already has the trivy binary bundled just call it otherwise download trivy first
// Downloading Trivy only takes 7 seconds in testing
//
// downloadTrivy()
//
// trivy('...')
//
//
// If you've set up a Trivy container in your Jenkins agent pod like: https://github.com/HariSekhon/Kubernetes-configs/blob/master/jenkins/base/jenkins-agent-pod.yaml
//
// container('trivy') {
// trivy('...')
// }
//
// If you want to make it informational but not break the build:
//
// catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') {
// trivy('...')
// }
//
// Requires:
//
// - a Jenkins agent with Docker available locally see https://github.com/HariSekhon/Kubernetes-configs/blob/master/jenkins/base/jenkins-agent-pod.yaml
//
// - if pulling docker images from Google Container Registry or Google Artifact Registry then be sure to set up Google Application Credentials first by calling
// gcpSetupApplicationCredentials.groovy or setting up general Docker Authentication to GCR/GAR by calling gcpDockerAuth.groovy / gcrDockerAuth.groovy / garDockerAuth.groovy
//
// - if using trivy container and using Google Application Credentials then make sure to set them up in the container to be used later eg.
//
// withCredentials([string(credentialsId: 'jenkins-gcp-serviceaccount-key', variable: 'GCP_SERVICEACCOUNT_KEY')]) {
// container('trivy') {
// gcpSetupApplicationCredentials()
// }
// }
//
// XXX: set environment variable TRIVY_SERVER to use a Trivy server to not waste 15 minutes downloading the vulnerabilities DB on every Jenkins agent,
// especially important if you're using auto-spawning agents on Kubernetes. On Kubernetes this should be set in Jenkins set this globally at $JENKINS_URL/configure to:
//
// TRIVY_SERVER=http://trivy.trivy.svc.cluster.local:4954
//
// https://github.com/HariSekhon/Kubernetes-configs/tree/master/trivy/base
//
// XXX: don't forget to set TRIVY_DEBUG=true for better logging
//
def call (args='') {
label 'Trivy'
// let caller decide if wrapping this in a container('trivy') or using downloadTrivy.groovy to save RAM
//container('trivy') {
ansiColor('xterm') {
sh (
label: "Trivy",
script: "trivy $args"
)
}
//}
}